Hi all, I've developed an extension for the ASSP_AFC.pm plugin - ASSP_AFCSMIME. This extension makes it possible to SMIME sign all or specified corporate or privat emails with a single certificate, instead having a privat certficate for each user.
The first version of this feature was developed in 07/2014 and has now reached version 4.07 of ASSP_AFC.pm. This feature is the first NOT public licensed feature in assp - it requires one license per assp installation. To prevent any question: Until now, I've made no decision about the license model (per install, per domain, per user, per mail .... ?) - also a possibly pricing model is not fixed jet. I only want to know, if someone wants to try this feature - if so, email me to my privat email address. Please include 'SMIME' in the subject An brief description of the feature is at the bottom of this mail. Also a short description about, how corporate SMIME signing works. Thomas 'ASSP_AFCSMIME','SMIME sign outgoing mails*' If configured, outgoing mails will be digitaly signed according to the SMIME specifications. It is possible to configure privat and/or corporate signatures. In any case, the "file:" option must be used - specify one configuration per line. The domain or user is separated by "=>" from the signing configuration/policy. It is possible to use group definitions of domains and users using the [ Groups ] option. Define one line per domain or user or group. Configuration entries are separated by comma. Configuration entry pairs (tag and value) are separated by "=". File definitions for the certificate and privat key have to include the full path to the file! Certificate and privat key have to be provided in PEM format If you exchange any certificate or key file, click "Edit file" and save the file again to force a reload of the internal certificate store. The domain / user part accepts full email addresses , domains and groups - wildcards are supported and must be used for domain definitions. The domain / user part is compaired to the envelope sender - the first matching entry (in reverse generic order) will be used. Entries starting with a minus sign, explicit exclude the domain/user/group from SMIME processing. certfile - is required and specifys the full path to the certificate to use. The subject of the certificate has to include a valid email address. In normal case, this email address is specified by the cert-subject-tag "emailAddress". The "FROM:" address in the mail header will be replaced by this email address and a "Reply-To:" line with the original sender is added (or replaced) to the mail header. If the subject of the certificate specifys the email address in another tag, define this tag (NOT the email address) after "emailaddress=". keyfile - is required and specifys the full path to the file that contains the privat key keypass - the tag is required, the value is optional - defines the password required (or not) for the privat key emailaddress - is optional - please read "certfile" rcpt - is optional - include/[-]exclude mails to specified users and/or domains (recipients) - to exclude addresses, write a minus in front - separate multiple entries by space<br > examples: - (1) user@your.domain => certfile=/certs/user_cert.pem, keyfile=/certs/user_key.pem, keypass=, rcpt=-otheruser@other.domain - (2) *your.domain => certfile=/certs/corporate_cert.pem, keyfile=/certs/corporate_key.pem, keypass=mypassword - (3) *@your.domain => certfile=/certs/corporate_cert.pem, keyfile=/certs/corporate_key.pem, keypass= , emailaddress=Email - (4) -user4@your.domain - (5) -*@*.your.domain - (6) -[no_smime] The first example specifys a privat signing policy which exclude the recipient otheruser@other.domain, the second and third example specifys a corporate signing policy (with and without subdomains). The fourth example excludes the user "user4@your.domain" from SMIME processing. The fives example excludes all subdomains of "your.domain" from SMIME processing. The last example excludes all domains, subdomains and users defined in the group "[no_smime]" from SMIME processing. corporate SMIME signing: Assume we define the following configuration line: *@your.domain.com => certfile=/certs/corporate_cert.pem, keyfile=/certs/corporate_key.pem, keypass= Now let's say, the subject of the specified certificate (corporate_cert.pem) contains .../emailAddress=central.off...@your.domain.com/... Your local user "mark.schm...@your.domain.com" sends a mail to an external recipient. The related mail header is: From: "Mark Schmitz" <mark.schm...@your.domain.com> Disposition-Notification-To: <mark.schm...@your.domain.com> After SMIME signing the mail, the related mail headers are the following: From: "Mark Schmitz" <central.off...@your.domain.com> Disposition-Notification-To: <mark.schm...@your.domain.com> Reply-To: <mark.schm...@your.domain.com> References: assp-corp-smime-mark.schm...@your.domain.com The mail client of the recipient will validate the signature against the "From" address - which corresponds to the email address specified in the subject of the certificate -> VALID Pressing the "REPLY/ANSWER" button, the mail client of the recipient will provide "mark.schm...@your.domain.com" as recipient address (To:) for the answer, using the entry in the "Reply-To:" header. Notice, that some bad and/or older mail clients are ignoring the "Reply-To:" header tag - in such case an answered mail will go to "central.off...@your.domain.com". ASSP will help you a bit to prevent this. In addition to the required mail header changes, assp will add or enhance the "References:" mail header tag with a value of "assp-corp-smime-EMAILADDRESS" , where EMAILADDRESS is the original sender address. If assp receives an answered mail, it will look for such an entry in the mail header and will add the found email address to the "To" header, if it is not already found there. DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test